Monitor Microsoft DNS Server log file

This simple Perl script analyzes the Microsoft DNS server log file and output the following informations :

  • date
  • time
  • remote ip
  • fqdn
Microsoft DNS log field description

The Microsoft DNS log file contains fields described below :

  • 1 Date
  • 2 Time
  • 3 Thread ID
  • 4 Context
  • 5 Internal packet identifier
  • 6 UDP/TCP indicator
  • 7 Send/Receive indicator
  • 8 Remote IP
  • 9 Xid (hex)
  • 10 Query/Response
    • R = Response
    • blank = Query
  • 11 Opcode
    • Q = Standard Query
    • N = Notify
    • U = Update
    • ? = Unknown
  • 12 [ Flags (hex)
  • 13 Flags (char codes)
    • A = Authoritative Answer
    • T = Truncated Response
    • D = Recursion Desired
    • R = Recursion Available
  • 14 ResponseCode ]
  • 15 Question Type
  • 16 Question Name
Perl requirement

To run this script, the Perl library File::Tail is required. You can install it by executing the command : cpan install File::Tail

Enable Microsoft DNS server debug logging

By default, log is disabled. To enable it, follow these steps :

  • launch the DNS Server Management console : mmc dnsmgmt.msc
  • right click on the DNS server name then click on Properties
  • go to the “Debug Logging” tab
  • set as described below
    dnslog
Mount the log folder

In this script, the log file is located in the folder “/mount/log”. The mount point is defined like this in my fstab:
//dnsserver/dns /mount/log cifs credentials=/root/.smbpasswddns,noatime,ro,noserverino,nounix 0 0

The script
use File::Tail;

my $name="/mount/log/dns.log";

$file=File::Tail->new(name=>$name, maxinterval=>1, tail=>0);
while (defined($line=$file->read)) {
        $line =~ s/ +/ /g;
        my @array = split / /, $line;
        my $date = $array[0];
        my $time = $array[1];
        my $remoteip = $array[7];
        my $questionname = $array[-1];
        $questionname =~ s/\((\w+)\)/\./g;
        print "$date\n";
        print "$time\n";
        print "$remoteip\n";
        print "$questionname\n";
}
Monitor Microsoft DNS Server log file

Leave a Reply

Your email address will not be published. Required fields are marked *